Your Staff Are Your Biggest Risk

This whitepaper highlights the often overlooked weak link in cyber security- your staff. You will learn about the issues, the statistics and the solutions.  Let’s start with a real security nightmare from one of our clients. No matter your size, information is likely your company’s most important asset. Anyone with access to any part of the system, physically or electronically, is a potential security risk. The main security breaches caused by employees are:

Generation X and Y grew-up in the Internet age – where an infinite volume of information is as close as the nearest Wi-Fi hotspot. There is an expectation that digital information is readily available and free. This culture of carelessness is a real security threat. These generations’ digital habits risk devaluing information as a proprietary resource. Problems arise when employees treat data casually, sharing widely, sharing on social media, and taking valuable information with them when they leave.
 
Same Staff- More Devices – IT staff are each dealing with about the same number of employees. However, the number of devices has tripled or more. This is as a result of the smartphone and tablet explosion and the BYOD (bring your own device) phenomenon. The complexity of handling these “additional” devices has opened security holes that are often exploited.
 
BYOD – When you have a BYOD policy, there is the obvious risk of an employee leaving with your data on their device. What many organizations don’t factor in is that mobile apps for personal use may unwittingly allow third-party access to corporate information stored on their devices. These apps may also be pre-infected with malware, which might be instructed by hackers to steal information from the device without alerting the users. As well, should employees connect to open Wi-Fi networks, the corporate data stored on their devices might also be exposed.
 
Lost and Stolen Devices – In their “Billion Dollar Lost Laptop Study,” independent research firm Ponemon Institute concluded that the average cost of a stolen laptop came to over $49,000—and topped $56,000 if the device didn’t include adequate safety measures (which the majority in the study did not). The cost of the hardware and software replacement are just the start.  The real costs are the recovery costs and legal fees.
 
Weak Passwords – Too many of us use very weak passwords. These passwords are frequently attacked. However that’s not the only issue. We’ve all used the “I forgot my password” button where you’re either sent an email or prompted to answer a few personal questions. Unfortunately, the security of the password reset function is often weaker than the password, making these functions attractive targets. Social networking sites have made it easy for bad guys to guess the answers to common “personal security questions” such as your maiden name, location of honeymoon, pets name, etc.
 
Phishing – Is one of the most common security scams, whereby the opening of email attachments launches a virus. Individuals will send infected files incorporated as attachments with a catchy subject line in the hope that recipients will open them. The bad guys employ a number of ways to entice unsuspecting users into opening e-mail attachments, from pornography to phony security warnings and advice. Phishing schemes customized for individual targets are the latest trend.
 
Size Doesn’t Matter – Many SMB’s think they are immune because they are small. “Why would anyone go after us?” They are wrong. SMB’s constituted 31% of targeted attacks in 2012, according to the National Cyber Security Alliance. SMB’s may have smaller pockets, but those pockets are much easier to get into.  The bad guys always look for the “easy score” and avoid the hard ones. Remember the old story of out running the bear.  You don’t need to be faster than the bear.  You need to faster than the guy next to you.
 

Our client uses a type of two factor authentication with RSA tokens. Getting access to data is based on two factors — something you know (a password) and something you have (an authenticator/token such as a USB token, smart card or key fob). When a user attempts to access a protected resource, he is prompted for a unique passcode. The passcode is a combination of their user’s password and the code that is displayed on the authenticator token at the time of log in. Without both access is denied.

 

As we said, this hacking attempt was sophisticated and well planned.  They first used an email Phishing scam to convince an unwitting employee to give up their password.  The hackers got one half of the authentication with their phishing scam.  At this point the hackers called the client pretending to be from tech support.
 

Their story was that some of the tokens were malfunctioning. This employee was asked to provide the token number to verify if the one they had was defective or not.  Lucky for our client this employee knew not to give up the information and the scam was put to a halt and all passwords changed.  However if the employee had given in the hackers would have had the ability to transfer money from the firms bank accounts.  A disaster they may not have recovered from.
 
How well trained are your employees in not giving up their passwords? Does your firm need or use two factor authentication? Modern security programs don’t come out of the box. They are an ongoing combination of technical protection and management of people. It’s the management component that is most often the weak link. To avoid becoming a target ensure your organization is doing the following:
 

Standard Technical Protection – Firewalls, antivirus, active threat monitoring etc. Most companies have these. The biggest flaw we see is that they are not always kept up to date. The base level of protection here is not just technical.  It is also the managerial process of the up keep.
 
Educate, then Educate again, then again – It’s critical to get your employees to understand the risks involved and to then follow simple procedures. Repetition is key, as old habits die hard. Training needs to be memorable and impactful. This is not a do it once and your done project, best practices will change, people will forget and new staff will come in.
 
Standardize Processes to Minimize the Human Factor – Company-wide standardize polices will help. Advancements in technology also will. Don’t get stuck in old ways of doing things.  Look for ways/technology that will automate processes such as updates, storage and monitoring.
 
Be Humble, it will happen – People are people, mistakes will happen. Ensure you have a plan in place for when it does. Are your devices encrypted, can they be wiped remotely, how regular are your backups? Prepare for the worst and hope for the best. Also ensure you test these measures.  We have seen many strategically brilliant disaster recovery plans not work when needed.
 

It’s not always just your employees who are the weak links.  It’s also your vendors, contractors, consultants and more.  This last story is a short one.  It involves a firm involved in foreign exchange.  It has a large list of clients and handles a significant amount of sensitive financial data for those clients.

 

This firm was working with a number of vendors (with full NDAs and other standard contracts in place) on various projects.  One of these was a consultant who, for all the right reasons, had a large amount of sensitive client data on his laptop. While travelling for business he rented a car.  The car was broken into. The laptop was gone.

 

This situation was unavoidable.  But what wasn’t were the security procedures in place to be able to remotely wipe the hard drive of that laptop as soon as it was turned on.  Without that in place the firm had to go into immediate action- informing clients, working on PR and getting legal involved.  When the dust settled the total cost of the incident was over $2 million dollars.  Luckily this firm was able to move on despite the financial loss.  Smaller firms would not have been as fortunate.

 

How much sensitive data do your vendors and contractors possess? How good is their security?  What would you do if a laptop with sensitive info was lost or stolen?